03-24-2017 11:35 AM - edited 03-05-2019 08:14 AM
I am load balancing over two ISP's and have an ISA570 firewall. We need a second public IP block as we have used up the existing ones we have with our main isp. Now, it sounds like the ISP can do one of two things.
1. They can trunk the port and add the new block off of the ISP router with a new vlan, which would require us to add the corresponding vlan to our WAN interface of our firewall. Then we could use the remaining ip's for static NAT.
Or
They can route you the block, which from what I am reading you can just start entering static NAT entries and use accordingly.
1. The first option, there doesn't seem to be an option in the firewall to add a VLAN for a WAN interface. Even if there was, how would the firewall choose which subnet to use for PAT? The first public block or the new public block? Static NAT entries for inbound traffic would work from what I am gathering, but what outbound ip address would be seen to the outside for a host set up for this second public ip block address? This goes along with part two question below.
2. If they route me the block, how does the static NAT for the second public ip subnet work on my firewall? Do I have to add a default route to the the ISP's gateway our firewall connects to?
Thanks in advance.
Solved! Go to Solution.
04-03-2017 12:05 PM
Yeah, confirmed. They set up the Secondary IP address, what I figured when they put the ip on the gateway. From what I am reading, it says you shouldn't use the secondary ip permanently, because there can be issues with two subnets in the same broadcast domain.
04-03-2017 12:14 PM
So, I got off with one of the engineers and he said that they can't setup a static route with new block to our box over the existing public subnet. He made it sound like you can't do it because right now their router is in bridge mode. Does this make sense what they are saying? Ever run into this?
04-04-2017 05:37 AM
My experience is that routing the new subnet is more common but different ISPs do things differently and based on the way they have setup their router it sounds like using a secondary IP is the only way.
As to whether it is a good thing or not the main issue is you are increasing the broadcast domain by using secondary IPs which can be an issue but with the small amount of IPs from the original and new subnets you should be okay.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: